Re: [Snort-inline-users] Snort_inline, /proc/net/ip_queue problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I'm sorry, I forgot to mention the I re-emerged Gentoo's
snort_inline-2.1.1 with libnet-1.1.2.1.

I hope this helps someone down the road..

> sorted! Running snort_inline as root (eliminating the '-u snort_inline =
-g
> snort_inline' from the cmd line in /etc/conf.d/snort_inline) seems to b=
e
> working so far!
>
> I think you are right in the GRSecurity thing because I do utilize the
> randomize PIDs feature.
>
> Are there any downfalls to running snort_inline as root?
>
> cheers!
>
>>
>>
>>
>>
>>
>>
>> I've seen the mismatched snort_inline pid and /proc/net/ip_queue Peer
>> pid
>> on kernels with grsecurity enabled, and it seems to still work fine fo=
r
>> some reason.  I think it has something to do with pid randomization, b=
ut
>> I
>> really haven't had time to look into it.  Are you getting kern message=
s
>> in
>> syslog about ipq peer termination or anything?  If you are running
>> grsec,
>> I
>> would look elsewhere.
>>
>> Regards,
>>
>> Will
>>
>>
>>
>>              "Joey McCoy"
>>              <ix...@cf...
>>              >                                                        =
  To
>>              Sent by:
>> sno...@li...urceforg
>>              snort-inline-user         e.net
>>              s-...@li...u
>> cc
>>              rceforge.net
>>                                                                    Sub=
ject
>>                                        [Snort-inline-users]
>> Snort_inline,
>>              12/22/2004 11:37          /proc/net/ip_queue problem
>>              AM
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I've been using Gentoo and snort_inline-2.1.1 for quite a while now, b=
ut
>> all of a sudden snort_inline wasn't handling queued packets. I
>> investigated further to find out that snort_inline's PID does not matc=
h
>> the Peer PID in /proc/net/ip_queue. I've tried manually compiling
>> snort-2.1.1, nogo. I've even uninstalled Gentoo's snort_inline and
>> libnet,
>> installed libnet-1.0.2a from source as well as snort_inline-2.2.0a, bu=
t
>> still same problem.
>>
>> I did have this problem before, but discovered that manually starting
>> snort_inline had fixed it. Why it's cropped up again, I do not know.
>>
>>
>>
>>
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real user=
s.
>> Discover which products truly live up to the hype. Start reading now.
>> http://productguide.itmanagersjournal.com/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users=
.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>